How to setup active-active multi-homed 2 x ISP with 1 Fortigate

Question

I have Fortigate 2201E and want to setup active-active multi-home setup with 2 x ISP for web/app hosting on servers in the datacenter

I have 10G from each ISP and will like a truly redundant HA setup that is active-active, not primary-failover

I use cloudflare as firewall/proxy/DNS in front of the fortigate for reference and wanted to check what the best route for this setup is

I know most people go for primary/failover like mentioned in this guide https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-SD-WAN-with-Primary-ISP-and/ta-p/268524 by @lcamilo but what i want is active-active setup

Is this a common setup especially when not putting a router in front of fortigate and instead want to connect directly to the ISPs from the fortigate.

What i have heard so far is use SD-WAN feature and get ipv4/ipv6 blocks from each ISP. I will be getting /24 ipv4 and /48 ipv6 from each ISP. And then connect each ISP to an interface and setup dedicated virtual servers, virtual ips etc for each ISP and then setup load balancing on cloudflare

Is this the proper setup without setting up routing table BGP on the fortigate?

I also have my own ARIN /24 ipv4 and /48 ipv6 blocks just incase there is a better setup that may require that

So looking forward to the expert engineers to help guide in the best way to approach this

one of benefit of active-active with 2 x ISP each with 10G DIA uplink is i then get 20G

decyphervlan · Accepted Answer

based on further research will be going with using my ips and setting BGP but not managing internet routing tables but instead use the default routes for each ISPs

SD-WAN is more of branch office outbound and internet browsing traffic not for datacenter inbound and web hosting traffic

Toshi_Esumi · Answer

If you want to split two ISP circuits with two FGTs (regardless if it's muti-home or not), you can't use HA regardless active-active or active-passive. Only option is to make each FGT as an independent router then connect them with iBGP while ISP neighborings would be eBGP since you're dealing with two different networks/ISPs.

I'm wondering if you're understanding how FGT's a-a HA actually works. If you ask Google AI "Fortigate active-active HA all traffic still needs to come in primary", you'll get below answer.

"Yes, in FortiGate active-active High Availability (HA), the primary unit is responsible for receiving all incoming traffic that is addressed to the cluster's virtual IP addresses. The primary unit then uses load balancing to distribute these sessions to other active units in the cluster, including itself. While subordinate units do process and exit traffic directly to their destinations, the initial entry point for the client-facing traffic is always the primary unit. "

I'm not sure if the "cluster's virtual IP addresses" is an appropriate term, but the main concept isn't wrong. You can find similar conversation somewhere else like Reddit if you search the same.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded